Signed session cookies. A good idea?

Question

In an effort to increase performance, I was thinking of trying to eliminate a plain \'session cookie\', but encrypt all the information in the cookie itself.

A very

Answer 1

What makes you think this will improve performance vs. secure session IDs and retrieving the userid and time information from the server-side component of the session?

If something must be tamper-proof, don't put it in the toddlers' hands. As in, don't give it to the client at all, even with the tamper-proof locking.

Ignoring the ideological issues, this looks pretty decent. You don't have a nonce. You should add that. Just some random garbage that you store along with the userid and time, to prevent replay or prediction.